[SECURITY] Major security flaw due to hardcoded JWT secret!

[1RandomDev]

• App version: 2.3.1

---

Bug description: I noticed that the secret for generating JWTs when logging in is hardcoded in the .env file. This key is publicly known and the same for every instance and therefor entirely bypasses password authentication. You can use every token generated by every flame instance to log into every other instance!

Solution: This issue can be easily solved by setting the SECRET environment variable to a long random string, but unfortunately this is mentioned nowhere in the README. Additionally there should NEVER be a default secret key, it should be required to be set by the user or be randomly generated on each start if not set. In this case even if the user fails to configure it properly a new key will be generated on each start invalidating existing sessions.

Proof: You can easily try this out by logging out of your dashboard, open the local storage editor in your browsers dev tools and add the following entry: Key: token Value: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhcHAiOiJmbGFtZSIsImlhdCI6MTcyNDc3MDUyNiwiZXhwIjoxNzU2MzI4MTI2fQ.lQ-qxon9MrSrU_-6sdIApO8fURVRq0kUpwLUIkqAnFE This should log you in to every flame dashboard that's out there regardless of the set password.